b'POSTAL REGULATORY COMMISSION\n\n  OFFICE OF INSPECTOR GENERAL\n\n\n\n\n         FINAL REPORT\n\nINFORMATION SECURITY MANAGEMENT\n   AND ACCESS CONTROL POLICIES\n\n         Audit Report 10-02-A01\n           December 17, 2010\n\x0cTable of Contents\n\n\nINTRODUCTION .......................................................................................................... 1\n\n     Background .....................................................................................................................1\n\n     Objectives, Scope, and Methodology ..............................................................................2\n\n     Prior Audit Coverage .......................................................................................................3\n\nRESULTS ...............................................................................................................................3\n\n     Follow up on Prior Audit Recommendations ..................................................................3\n\n            Recommendation 1 ...................................................................................................4\n            Management\xe2\x80\x99s Comments ........................................................................................5\n            Evaluation of Management\xe2\x80\x99s Comments ..................................................................5\n\n           Recommendation 2 ....................................................................................................5\n           Management\xe2\x80\x99s Comments .........................................................................................6\n           Evaluation of Management\xe2\x80\x99s Comments ...................................................................6\n\n     Access Controls ...............................................................................................................6\n\n           Recommendation 3 ....................................................................................................7\n           Management\xe2\x80\x99s Comments .........................................................................................7\n           Evaluation of Management\xe2\x80\x99s Comments ...................................................................7\n\nAPPENDIX A ............................................................................................................... 8\n\nAPPENDIX B ............................................................................................................... 10\n\x0cInformation Security Management and Access Control Policies                                                       10-02-A01\n\n\n\nIntroduction\nBackground\nThis document presents the results of our follow up audit on Federal Information Security\nManagement Act (FISMA) compliance activities and access controls in the Postal Regulatory\nCommission\xe2\x80\x99s (PRC) information security policy. 1 Our objective was to determine whether the\ncontrol issues identified and recommendations made in the 2008 FISMA audit have been\nsufficiently addressed, and whether the PRC Information Technology (IT) security policy is\nadequate to prevent unauthorized access to PRC data and resources.\n\nIn a November 2008 report to the PRC Chairman, 2 the PRC Office of Inspector General (OIG)\npresented the results of our audit work on compliance with FISMA and implementation of\nsecurity controls. The November 2008 report identified twelve areas of concern related to\nFISMA compliance and included three recommendations to strengthen its security information\nprogram, revise its IT Plan of Actions and Milestones (POAM) document, and list its database\ncontaining Personally Identifiable Information (PII) as a separate system in future FISMA\nreports. In an April 2010 report, 3 the PRC OIG presented the results of audit work on physical\naccess controls related to the handling of non-public information in response to requests by\nCongress and the PRC Chairman. Subsequent to this report, Congress expressed an interest in\ncontrols the PRC has implemented to protect sensitive information provided by the U.S. Postal\nService. During this audit, we reviewed follow-up activities addressing recommendations in the\nNovember 2008 report and the adequacy of access controls in PRC\xe2\x80\x99s information security policy.\n\nFISMA (Title III of the E-Government Act) 4 provides a framework for securing government\ninformation technology. FISMA requires federal agencies to develop, document, and implement\nan enterprise-wide program to provide information security for the information and its systems\nthat support the operations and assets of the agency.\n\nFISMA requires micro agencies 5 to submit information on their system\xe2\x80\x99s inventory, as well as\nthe status of its certification and accreditation program. In addition, micro agencies must submit\ninformation on the status of security configuration management, incident response and reporting,\nsecurity training, plans of action and milestones, remote access, account and identity\nmanagement, continuous monitoring, contingency planning, as well as oversight of contractor\xe2\x80\x99s\nsystems. Micro agencies, including PRC, must submit FISMA annual report information via\nCyberScope. 6\n\n\n\n1\n  Postal Regulatory Commission Information Security Policy, Version 1.7, dated March 17, 2008.\n2\n  FISMA Compliance and Information Security Controls, Report Number AR-08-02A-02, dated November 14, 2008.\n3\n  Postal Regulatory Commission\xe2\x80\x99s Handling of Non-Public Information, Report Number 10-01-A01, dated April 10, 2010. The\nPRC-OIG conducted this audit with assistance from the Inspections and Evaluation Staff of the Treasury Inspector General for\nTax Administration.\n4\n  Public Law 107-347, Title III \xe2\x80\x93 Information Security, Section 301, Subsection 3541, enacted December 17, 2002.\n5\n  Micro agencies employ 100 or fewer full time employees.\n6\n  CyberScope is the platform for the FY 2010 FISMA submission process.\n\n                                                              1\n\x0cInformation Security Management and Access Control Policies                              10-02-A01\n\n\nOMB policies require federal agencies to follow National Institute of Standards and Technology\n(NIST). Because of FISMA, NIST has implemented the FISMA Implementation Project, which\npromotes the development of key security standards and guidelines to support the\nimplementation of and compliance with FISMA. NIST is responsible for developing information\nsecurity standards and guidelines, including minimum requirements for federal information\nsystems. NIST publishes the Federal Information Processing Standards, which governs the\nminimum security requirements. The minimum security requirements cover 17 security-related\nareas designed to protect the confidentiality, integrity, and availability of federal information\nsystems and the information processed, stored, and transmitted by those systems. Access control\nis one of the 17 security requirements and requires organizations to limit information system\naccess to authorized users, as well as processes acting on behalf of authorized users. NIST access\ncontrols also require organizations to limit information system access to the types of transactions\nand functions that authorized users are permitted to exercise. Organizations are also required to\ndevelop, disseminate, and review/update a formal and documented access control policy. Access\ncontrol areas include, but are not limited to, authorizations for logical access, separation of\nduties, least privilege, unsuccessful login attempts, and encryption. Additionally, organizations\nshould establish personnel security requirements including security roles and responsibilities for\nthird-party providers and monitor provider compliance. Third-party providers include contractors\nand other organizations providing information system development, IT services, and network\nand security management.\n\nObjectives, Scope, and Methodology\nOur audit objectives were to determine whether the control issues identified and\nrecommendations made in the 2008 FISMA audit have been sufficiently addressed, and whether\nthe PRC\xe2\x80\x99s IT security policy is adequate to prevent unauthorized access to PRC data and\nresources.\n\nTo accomplish our objectives, we interviewed key PRC personnel and reviewed relevant\npolicies, procedures, and other documentation. We reviewed fiscal years 2008, 2009, and 2010\nFISMA reporting requirements, the PRC\xe2\x80\x99s 2008 annual FISMA report submitted to OMB, as\nwell as the January 2008 and April 2010 prior audit reports. We also reviewed the PRC\xe2\x80\x99s\nsecurity plan, performance metrics, Continuity of Operations Plan (COOP), intrusion reports,\nand other relevant documents to determine actions taken to address the issues and\nrecommendations in the November 2008 audit report. We reviewed the PRC\xe2\x80\x99s information\nsecurity policy as well as various NIST publications related to access controls and encryption.\nWe compared the Postal Regulatory Commission Information Security Policy to NIST access\ncontrols and Postal Service\xe2\x80\x99s Handbook AS-805, Information Security.\n\nAn audit team on detail from the United States Postal Service OIG conducted this performance\naudit from June through December 2010 in accordance with generally accepted government\nauditing standards and included such tests of internal controls as we considered necessary under\nthe circumstances. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions\nbased on our audit objectives. We believe that the evidence obtained provides a reasonable basis\nfor our findings and conclusions based on our audit objectives. We discussed our observations\n\n                                                2\n\x0cInformation Security Management and Access Control Policies                            10-02-A01\n\n\nand conclusions with management officials on November 18, 2010, and included their comments\nwhere appropriate.\n\nWe did not assess the reliability of computer generated data.\n\nPrior Audit Coverage\nPostal Regulatory Commission\xe2\x80\x99s Handling of Nonpublic Information (Report Number 10-01-\nA01 dated April 30, 2010). PRC OIG made two recommendations to PRC management\nregarding the development of a formal training program on security requirements for\nsafeguarding non-public information, and the development of a method of reporting security\nincidents related to nonpublic information. The PRC made a commitment to implement these\nrecommendations.\n\nFISMA Compliance and Information Security Controls (Report Number AR-08-02A-02 dated\nNovember 14, 2008). PRC OIG made three recommendations to PRC management to strengthen\nits information security program, revise its information technology Plan of Actions and\nMilestones document, and list its database containing PII as a separate system in future FISMA\nreports. PRC management agreed with all the recommendations.\n\nInformation Technology Governance and Information Security Planning (Report Number 07-\n02A-01 dated January 30, 2008). PRC-OIG made five recommendations to PRC management:\nthat the PRC complete a formal information security plan; implement an organizational structure\nwith defined roles and responsibilities; develop formal information security policies and\nprocedures; document PRC\xe2\x80\x99s enterprise architecture; and implement an ongoing monitoring plan\nwith achievable and realistic goals. PRC management agreed with all five recommendations.\n\nResults\nThe PRC is progressing in some areas of its IT security program. However, the PRC has not\nsufficiently addressed the areas of concern and fully implemented recommendations one and two\nidentified in our November 2008 audit report. In addition, access controls in PRC\xe2\x80\x99s information\nsecurity policy could be strengthened by aligning the policy with NIST access control standards.\n\nFollow up on Prior Audit Recommendation\nWhile the PRC made progress to address the three recommendations listed in the November\n2008 audit report, recommendations one and two remain open.\n\nThe November 2008 audit report listed twelve areas of concern, six of which the PRC addressed\nbefore the final report was issued. In response to the prior report first recommendation, the\nCommission agreed to continue to strengthen its information security program in accordance\nwith FISMA. However, our follow up review determined that the PRC has not taken action to\naddress concerns in four areas:\n\n\n                                                3\n\x0cInformation Security Management and Access Control Policies                                                         10-02-A01\n\n\n    \xc2\x83    The PRC\xe2\x80\x99s PII Breach Notification Policy 7 does not address rules of behavior and\n         corrective actions for failure to protect PII as required by the Office of Management and\n         Budget (OMB) policy. 8 PRC management acknowledged the omission and indicated that\n         this is due to recent turnover in PRC IT personnel.\n\n    \xc2\x83    PRC has not completed the implementation of its incident policy or procedures for\n         reporting security incidents to the Computer Emergency Response Team in accordance\n         with FISMA requirements and NIST standards. 9 Although the PRC revised its incident\n         reporting guidelines from the draft version we reviewed in the 2008 audit, these\n         guidelines remain in draft. PRC management has not approved these policies because\n         PRC IT has not completed their penetration testing of the PRC network.\n\n    \xc2\x83    The PRC has not finalized their COOP or conducted the final testing of the COOP. This\n         occurred because the PRC rate adjustment hearings took priority, and the network could\n         not be disrupted while the hearings were being conducted. Policy 10 requires the\n         development and testing of a contingency plan.\n\n    \xc2\x83    The three performance metrics 11 PRC identified to measure the effectiveness and\n         efficiency of security policies and procedures were not different from the ones used in the\n         FISMA reporting instructions. FISMA 12 requires agencies to develop three performance\n         metrics used to measure effectiveness and efficiency of security policies and procedures.\n         These metrics must be different from the ones used in the FISMA reporting instructions.\n         This occurred because management was not aware of this requirement.\n\nAddressing these four issues will strengthen the PRC\xe2\x80\x99s information security program and\nimprove the protection of sensitive information.\n\nWe recommend the Postal Regulatory Commission:\n\n1. Continue to strengthen its information security program in accordance with the Federal\n   Information Security Management Act by:\n\n         \xc2\x83    addressing rules of behavior and corrective actions for failure to protect personally\n              identifiable information in its Personally Identifiable Information Breach Notification\n              Policy;\n\n\n7\n  Personally Identifiable Information Breach Notification policy dated October 3, 2008.\n8\n  OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information,\nAttachment 4: Rules and Consequences, dated May 22, 2007.\n9\n  NIST Special Publication 800-53 Revision 3, Information Security, dated August 2009, pages F63 and F64.\n10\n   NIST Special Publication 800-34, Revision 1, Contingency Planning Guide for Federal Information Systems, dated May 2010;\nNIST Special Publication 800-53 Revision 3, Information Security, dated August 2009, and Postal Rate Commission,\nInformation Security Policy dated March 17, 2008.\n11\n   The PRC identified their three performance metrics as (1) number of incidents, (2) number of attempts, and (3) response\nrelating to intrusion incidents.\n12\n   OMB M-09-29, FY 2009 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy\nManagement, dated August 20, 2009. Chief Information Officer Questions, Question 9: Performance Metrics for Security\nPolicies and Procedures, Question 4: Incident Detection, Monitoring, and Response Capabilities; and Question 8: Incident report.\n\n                                                               4\n\x0cInformation Security Management and Access Control Policies                                   10-02-A01\n\n\n           \xc2\x83    completing the implementation and finalizing its incident policy or procedures for\n                reporting security incidents to the National Computer Emergency Response Team;\n\n           \xc2\x83    finalizing and conducting tests of their Continuity of Operations Plan; and\n\n           \xc2\x83    developing the performance metrics for effectiveness and efficiency of security\n                policies and procedures.\n\n       Management\xe2\x80\x99s Comments\n\n       PRC Management provided a response to a draft of this audit report on December 15, 2010.\n       A copy of that response is included as Appendix B of this report. Management agreed with\n       this recommendation and committed to implement the four items above by June 3, 2011.\n\n       Evaluation of Management\xe2\x80\x99s Comments\n\n       Management\xe2\x80\x99s comments are responsive to the recommendation, and the action taken or\n       planned should correct the issue identified.\n\nIn response to the 2008 audit report second recommendation, the Commission agreed to revise\nits POAM to reflect the mapping of specific program and system-level security weaknesses,\nremediation needs, resources required for implementation, and scheduled completion dates; and\nto ensure its actions are aligned with its long and short-term strategic goals and mission. The\ntarget completion date was June 2009.\n\nOur follow up review noted the progress PRC has made from its 2008 POAM to address specific\nprogram and system-level security weaknesses, remediate its needs, and identify resources\nrequired for implementation, as required by FISMA. 13 Overall, PRC has completed 73% of the\nitems listed in the 2010 POAM while 27% of the items are in progress. However, we also noted\nthat the PRC does not consistently document completion or anticipated completion dates in the\nPOAM. For example, the PRC has not documented completion dates for any of the 46 completed\nitems in the 2010 POAM. This occurred because of recent turnover in PRC IT personnel.\n\nCompletion of the POAM will ensure PRC\xe2\x80\x99s actions are aligned with its long and short term\nstrategic goals and mission.\n\nWe recommend the Postal Regulatory Commission:\n\n2. Complete the Information Technology Plan of Actions and Milestones to reflect scheduled\n   completion dates to ensure its actions align with its long and short-term strategic goals and\n   mission.\n\n\n\n\n13\n     OMB M-09-29, pages 9 and 12.\n\n                                                     5\n\x0cInformation Security Management and Access Control Policies                                                        10-02-A01\n\n\n     Management\xe2\x80\x99s Comments\n\n     Management agreed with this recommendation, and committed to updating its POAM by\n     June 3, 2011.\n\n     Evaluation of Management\xe2\x80\x99s Comments\n\n     Management\xe2\x80\x99s comments are responsive to the recommendation, and the action taken or\n     planned should correct the issue identified.\n\nIn response to the 2008 audit report third recommendation, the PRC agreed to list its database\ncontaining PII as a separate system in future FISMA reports if they could not remove PII from\nthe database due to continual use for mission purposes. We were unable to determine whether the\nPRC listed its database 14 as a separate system because the PRC has not filed their 2009 annual\nFISMA report with OMB. In addition, PRC has not removed the PII from the database. Policy\nstates all information systems should be included as part of the FISMA report. 15 This oversight\noccurred because the PRC has experienced a recent turnover in their IT staff.\n\nEffectively managing sensitive information ensures controls are in place to protect employee\nprivacy.\n\nCorrective Action: The PRC listed the database containing PII in its 2010 annual FISMA report;\ntherefore, we will not make a recommendation.\n\nAccess Controls\nThe PRC information security policy addresses 10 of the 16 access controls standards required\nby NIST. However, the policy only partially addresses five standards and one standard is not\naddressed. This occurred because recent turnover of PRC IT personnel resulted in delays in\nupdating the security policy. In addition, we noted that the PRC information security policy\naddresses six related identification 16 and authentication 17 controls required by NIST.\n\nNIST provides access control standards for low, moderate and high impact systems as defined by\nFederal Information Processing Standards. 18 We reviewed the 16 NIST baseline access controls\nfor all system impact levels along with the seven accompanying enhanced controls for moderate\nand high impact systems. The PRC has categorized its information and information systems as\nmoderate and high, which requires compliance with baseline controls and applicable enhanced\ncontrols. See Appendix A for details on our review of PRC\xe2\x80\x99s information security policy\ncompliance.\n\n14\n   The Admin Database is a Microsoft Access file that maintains employee information including PII.\n15\n   OMB M-09-29, FY 2009 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy\nManagement, dated August 20, 2009 and CIO Questions Attachment.\n16\n   Identification is the process of associating a person or information resource with a unique enterprise wide identifier (for\n   example, a user logon ID).\n17\n   Authentication is the process of verifying the claimed identity of an individual, workstation, or originator.\n18\n   Federal Information Processing Standards Publication 199, Standards for Security Categorization of Federal Information and\nInformation Systems, dated February 2004.\n\n                                                               6\n\x0cInformation Security Management and Access Control Policies                             10-02-A01\n\n\n\n\nWe also compared the PRC information security policy to the Postal Service Handbook AS-805,\nInformation Security, to benchmark the Postal Service\xe2\x80\x99s access control policy. 19 While the PRC\ninformation security policy includes most of the security controls listed in Handbook AS-805, it\nonly partially addresses remote access, wireless access, and minimum standards for encryption.\nThe PRC policy also does not state whether laptops and notebook computers are or should be\nencrypted. In addition, the PRC information security policy does not define personal\nidentification numbers, smart cards and tokens, or biometrics. The PRC is not required to follow\nPostal Service Handbook AS-805; therefore, we are not making a recommendation.\n\nThe implementation of access controls protects the confidentiality and integrity of information\nfrom unauthorized users.\n\nWe recommend the Postal Regulatory Commission:\n\n3. Update the PRC Information Security Policy to reflect access controls that align with\n   National Institute of Standards and Technology access control standards.\n\n       Management\xe2\x80\x99s Comments\n\n       Management agreed with this recommendation and committed to update its information\n       security policy by June 3, 2011.\n\n       Evaluation of Management\xe2\x80\x99s Comments\n\n       Management\xe2\x80\x99s comments are responsive to the recommendation, and the action taken or\n       planned should correct the issue identified.\n\n\n\n\n19\n     Postal Service Handbook AS-805, Information Security, dated November 2009.\n\n                                                              7\n\x0cInformation Security Management and Access Control Policies                                    10-02-A01\n\n\n                               APPENDIX A: DETAILED ANALYSIS\n\n                                           Access Controls\n\n                          Table 1. PRC Compliance with NIST Access Controls.\n\n       NIST STANDARDS                       PRC INFORMATION SECURITY POLICY STATUS\n                                                             Enhancements\n                                      Baseline Addressed\n                                                              Addressed\n         Control              Code                                                      Details\n                                     Yes   Partially   No   Yes   Partially\n1. Access Control Policy      AC-1    X\nand Procedures\n2. Account Management*        AC-2    X                              X        a) Temporary and\n                                                                              emergency accounts are not\n                                                                              specifically identified or\n                                                                              addressed. b) The policy\n                                                                              does not indicate the access\n                                                                              will be automatically\n                                                                              terminated after a defined\n                                                                              period.\n3. Access Enforcement         AC-3    X\n4. Information Flow           AC-4    X\nEnforcement\n5. Separation of Duties       AC-5    X\n6. Least Privilege *          AC-6    X                              X        The policy does not state\n                                                                              users of information system\n                                                                              accounts, or roles with\n                                                                              access to defined/specific\n                                                                              security functions or\n                                                                              security-relevant\n                                                                              information are required to\n                                                                              use non-privileged\n                                                                              accounts (for example,\n                                                                              accounts with read-only\n                                                                              access), or roles, when\n                                                                              accessing other system\n                                                                              functions.\n7. Unsuccessful Login         AC-7    X\nAttempts\n\n8. System Use Notification    AC-8    X\n\n\n\n\n                                                   8\n\x0cInformation Security Management and Access Control Policies                                            10-02-A01\n\n\n        NIST STANDARDS                          PRC INFORMATION SECURITY POLICY STATUS\n                                                                     Enhancements\n                                         Baseline Addressed\n                                                                      Addressed\n          Control             Code                                                              Details\n                                        Yes    Partially   No       Yes   Partially\n 9. Concurrent Session        AC-10               X                                   The policy does not\n Control                                                                              address limitations on the\n                                                                                      number of concurrent\n                                                                                      sessions allowed by the\n                                                                                      information systems as\n                                                                                      required. Rather, it\n                                                                                      indicates the information\n                                                                                      resource must provide the\n                                                                                      administrator-configurable\n                                                                                      capability to limit the\n                                                                                      number of concurrent\n                                                                                      logon sessions for a given\n                                                                                      user.\n 10. Session Lock             AC-11      X                          X\n 11. Permitted Actions        AC-14      X                          X\n without Identification or\n Authentication *\n 12. Remote Access *          AC-17      X                          X\n 13. Wireless Access *        AC-18               X                 X                 The policy does not\n                                                                                      specifically cover the\n                                                                                      enforcement of wireless\n                                                                                      connections to information\n                                                                                      systems.\n 14. Access Control for       AC-19      X                          X\n Mobile Devices *\n 15. Use of External          AC-20      X                                   X        The policy does not: a)\n Information Systems *                                                                address approved\n                                                                                      information system\n                                                                                      connection or processing\n                                                                                      agreements with\n                                                                                      organizational entities\n                                                                                      hosting external\n                                                                                      information systems; b)\n                                                                                      provide specific limitations\n                                                                                      on the use of their portable\n                                                                                      storage media by\n                                                                                      authorized individuals on\n                                                                                      external information\n                                                                                      systems.\n 16. Publicly Accessible      AC-22                         X                         The policy does not contain\n Content                                                                              specific language that\n                                                                                      addresses this control.\n*These access controls include baseline and enhancement controls.\n\n\n\n\n                                                       9\n\x0cInformation Security Management and Access Control Policies   10-02-A01\n\n\n                       APPENDIX B: MANAGEMENT RESPONSE\n\n\n\n\n                                             10\n\x0cInformation Security Management and Access Control Policies   10-02-A01\n\n\n\n\n                                             11\n\x0c'